How Little We Still Know About The NSA's PRISM Program

Over a week after the Guardian and the Washington Post first reported that leaked documents showed the National Security Agency accessed user data from nine major tech companies, the extent of those businesses' involvement in the surveillance program is still far from clear. Though many of the companies linked to the program quickly issued strongly-worded statements denying they gave any government agency direct access to users' information, experts say questions remain about their exact role in the classified PRISM data collection program.

Elizabeth Goitein is an attorney who previously served on the staff of former Sen. Russ Feingold (D-WI) and currently is co-director of the Liberty and National Security Program at NYU law school's Brennan Center for Justice. In light of the documents leaked to the press, Goitein told TPM the tech companies' claim that they did not participate in the NSA's data collection program is "a head scratcher."

"It's got to be ... one of three things. Either they are lying because they don't want to lose customers, or ... it's something the government has done without their knowledge, ... or they felt compelled by the terms of their non-disclosure agreement to say that," Goitein said. "Some of them are saying, 'We never gave the government access.' ... It doesn't seem very plausible. Frankly, none of them seem plausible."

Nate Cardozo believes there is another possibility.

Cardozo is staff attorney with the "digital civil liberties team" of the Electronic Frontier Foundation, a group dedicated to "defending free speech, privacy, innovation, and consumer rights." EFF has filed lawsuits over NSA surveillance programs (a photo of NSA leaker Edward Snowden shows an EFF sticker on his laptop). Cardozo pointed to the fact many of the statements from the tech companies named in the PRISM documents contained similar language about "direct access." According to Cardozo, this means the denials could be correct from a "technical perspective" and "an engineering perspective" while still hiding the businesses' cooperation with the NSA.

To make his point, Cardozo pointed to the NSA's use of divers during the Cold War to tap underwater Soviet phone lines and to a pending 2008 EFF lawsuit against the NSA that alleges the agency installed a device in a "secret room" at an AT&T facility in San Francisco to listen to incoming calls. Cardozo argued that if the NSA used similar tactics to extract data from tech companies it would not necessarily constitute "direct access."

"It's not direct access to the servers, what it is is a sniffer on the line," Cardozo said.

Cardozo also identified another way the companies could have cooperated with the agency that would not have constituted "direct access" to their servers.

"Say that the secret room with the splitter isn't at the Google facility. Let's say it's at an AT&T facility. The NSA at the AT&T facility can see all of the Google traffic, but it's all encrypted," Cardozo explained. "If the cooperation from the company is handing over the Google private key so the NSA can read all of that data. ... That is absolutely cooperation, but it's certainly not direct access."

TPM asked all of nine tech companies named in the PRISM documents whether they could confirm they had not engaged in the specific activities described by Cardozo. Yahoo!, Paltalk, Microsoft (which owns Skype), and Facebook all referred us to their previous statements. AOL and Apple did not respond. A spokesperson for Google (which owns YouTube) told TPM the company has not given private keys to "any government" but did not specifically respond to the question of whether it allowed the NSA to install equipment in its facilities.

"We don't provide our encryption keys to any government. We believe we're an industry leader in providing strong encryption, along with other security safeguards and tools," the Google spokesperson said by email Friday.

An executive at another tech firm cast doubt on Cardozo's theories.

Ben Adida is the director of the Identity Group at Mozilla, a company that produces several software products including the Firefox browser and mobile operating system. Based on the budget for PRISM listed in the leaked documents, Adida told TPM it would not be feasible for the government to be using a splitter or private keys to access all of the information coming through the companies' datacenters.

"The splitter would imply that the government has set up infrastructure that is comparable to Google's to handle all that traffic and all that data. ... Last I checked the slide set mentioned a budget of $20 million, so that doesn't match," Adida said, suggesting it would cost far more than that for the government to maintain such an infrastructure.

"I know these systems pretty well," said Adida. "My speculation is that these companies have set up automated systems for FISA requests to be sent to them and then automated systems for returning the data in some kind of standard fashion back to the requesters."

The New York Times has described the program in similar terms. "The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice," the paper reported. "It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data."

As long as this exchange included a human gatekeeper processing the requests for the tech companies to ensure they were not overly broad and involved "proper due process," Adida said the program would "be OK." However, given the high level of secrecy surrounding this program, Adida noted it's impossible to know whether a hypothetical FISA request system is being handled properly or if PRISM entails something more far-reaching. Because of this, Adida argued it is in the best interests of both tech companies and the government to be more transparent in order to avoid being seen as sinister by the public.

"We don't have enough data to tell. My sense is those things are not happening, but I think the concern is that I can't tell you that for sure and I can't say for sure that the most paranoid folks are wrong," said Adida. "We need more transparency in what's going on. ... We should build trustworthiness in these deliberations between users and web services. That's critical."

Adida said that the "very strong denials" issued by the tech companies implicated in the leaked documents and the fact that Microsoft, Google, Yahoo!, Facebook, and Twitter have joined together to ask the government to allow them to release more details about the FISA requests they receive makes him "optimistic" that the program is not as sweeping as early reports suggested.

"That's huge. That is a really big deal to see these companies wanting to be more transparent. I think that's how we solve this problem," Adida said.

Mozilla has not yet received FISA requests. Adida claimed this is because the company stores "very little data" about its users. However, Adida said he believes government investigators might become more focused on the company in the future as it launches more products that allow users to access data from different locations.

Because of this, on Tuesday, Mozilla launched "StopWatching.US," a campaign to call for greater transparency and accountability in the monitoring of "online data, communications and interactions." A diverse coalition has signed on to support that effort including groups affiliated with the hacker collective Anonymous and the Tea Party. Adida had a simple explanation for his company's desire to bring the transparency to the FISA process.

"While we may not be the target today, we may well be in the future," he said.

About The Author

Hunter Walker is a national affairs reporter for TPM. He came to the site in 2013 from the New York Observer. He has also written for New York Magazine, Gawker, the Village Voice, Forbes, The Daily, and Deadspin. He can be reached at hunter@talkingpointsmemo.com